Do not encrypt CTCP TYPING messages #132
Comments
|
If we did not encrypt CTCP TYPING it would leak some information and would be a surprise to users who expect their entire session to be encrypted. We could potentially add an option to either:
There was a thread on otr-dev about this issue: https://lists.cypherpunks.ca/pipermail/otr-dev/2012-December/001522.html |
|
Why wouldn't this option propose not to encypt this CTCP message ? If you see a security leak (which I don't), you can disable it by default, and put a warning in documentation/option description/whatever. Because blocking all CTCP TYPING message isn't satisfying and converting it in plain text is very ugly. |
|
I haven't tested this but you could try adding this to the After: # skip processing messages to public channels
if parsed['to_channel']:
return stringAdd: if re.match('\x01TYPING [01]\x01$', parsed['text']):
return string |
|
I am still not convinced that starting to introduce regexp matching for forced cleartext messages is a good idea. Or if we do that, we should probably go hunt for all non-message exchanges that XMPP allows, and exempt them one by one, which might be painful given all possible protocol extensions. @mathieui how is this handled on poezio? |
|
@mmb thank you for the code snippet. |
|
@raspbeguy Did you have a chance to give it a try? Did it work? |
Hello,
I use OTR in weechat to talk to friends on XMPP, so I use a Bitlbee gateway. I also uses a script that sends CTCP TYPING messages to bitlbee which will translate it to the common "typing" status in XMPP, but also in other protocols.
The problem is that even the CTCP TYPING message is encrypted, so bitlbee is unable to translate it and thinks it is a regular message, so my friends receive an weird message each time I type something.
Would it be doable to make your script not encrypt CTCP TYPING notifications ?
Thanks.
The text was updated successfully, but these errors were encountered: